Simplest thing is for deployers and image builders to inject the CA that they want to trust. Another option would be to establish an OpenStack community CA and ship that along with cloud-init by default.
There are lots of options that don't involve out of band. Excerpts from Devananda van der Veen's message of 2014-01-24 14:41:44 -0800: > Awesome! But, Ironic will still need a way to inject the SSL cert into the > instance, eg. config-drive over virtual media, or something. > > -D > On Jan 24, 2014 2:32 PM, "Clint Byrum" <[email protected]> wrote: > > > Excerpts from Joshua Harlow's message of 2014-01-24 14:17:38 -0800: > > > Cloud-init 0.7.5 (not yet released) will have the ability to read from an > > > ec2-metadata server using SSL. > > > > > > In a recent change I did we now use requests which correctly does SSL for > > > the ec2-metadata/ec2-userdata reading. > > > > > > - > > http://bazaar.launchpad.net/~cloud-init-dev/cloud-init/trunk/revision/910 > > > > > > For ssl-certs that it will use by default (if not provided) will be > > looked > > > for in the following locations. > > > > > > - /var/lib/cloud/data/ssl > > > - cert.pem > > > - key > > > - /var/lib/cloud/instance/data/ssl > > > - cert.pem > > > - key > > > - ... Other custom paths (typically datasource dependent) > > > > > > So I think in 0.7.5 for cloud-init this support will be improved and as > > > long as there is a supporting ssl ec2 metadata endpoint then this should > > > all work out fine... > > > > \o/ my heroes! ;) > > > > _______________________________________________ > > OpenStack-dev mailing list > > [email protected] > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
